So, to verify, would you rather pay a (smaller) fee upfront for every registration (effectively, insurance against revocation), rather than pay a (larger) fee if and only if you ever need to revoke? (Or, are you saying that StartSSL is somehow evil, because they refuse to do everything you ever wished they could do for you with no compensation of any kind?) (Is the issue simply that they won't revoke without a fee, even if you don't have your key reissued? I thought that it was just a charge for reissue, but if they won't let you even revoke the key without reissue, then I agree that sucks; but that doesn't seem to be what you are complaining about.)
I think Startcom are morally in the right about the payment issue and to have whatever business model they want. But at the same time that's a separate issue from their responsibilities as a CA and if that's compatible with their business model. I got burned by Heartbleed and I was proactive about getting my certs revoked because it never occurred to me that I should beg for a free revoke because it wasn't my fault or something. But now I see that Startcom is in a tought position because they should be revoking the guy's cert and just billing him, but his backlash is not atypical and free cert offers probably select for the type of person who will avoid paying for things at all costs.
Hmm. Would I rather pay a fee every year for my domain name or only if I happen to need to change my name servers, contact info or account password. Perhaps more realistically, pay the host before a transfer or early termination. Yes, getting started might be free, but that just makes accidental lock in easier. Life happens, changes happen. Free should be free, is all I'm saying. Makes for a better internet. Maybe browser vendors should offer free SSL certs, or promote pinning self-signed ones somehow? ;-)
What I would rather have is a %$#@! CA cert signed by my registrar valid for *.my-domain.com for free. In what world should I have to pay annually for some asshole to run "openssl ca" on my behalf? Our whole CA system is bullshit.
When Mozilla put them in my browser, they promised “we will make sure that only people who own the domains get certs for them”. Now there are a bunch of people with leaked private keys and StartSSL is apparently doing nothing about them.
Note that I don’t care what StartSSL wants their “customers” to do, nor do I care what these “customers” want StartSSL to do, but I do care about private keys with associated valid StartSSL certificates floating around the internet, and it is not the responsibility of the owners of these keys to revoke the certs ASAP but StartSSL’s. Given that they don’t seem willing to do so, I’ll have to remove their CA from my browser.
One easy way out for “free certs” would be a clause like “If we have reasonable evidence that your certificate is compromised, we will revoke it immediately and you agree to pay a handling fee of 25 € for that.” in their Terms and Conditions. If such a clause would be illegal, I guess free certificates are just not feasible.
